It is my understanding that the commenters in FFMPEG's favor believe that Google is doing a disservice by finding these security vulnerabilities, as they require volunteer burden to patch, and that they should either:

1) allow the vulnerabilities to remain undiscovered & unpatched zero-days (stop submitting "slop" CVEs.)

2) supply the patches (which i'm sure the goalpost will move to the maintainers being upset that they have to merge them.)

3) fund the project (including the maintainers who clearly misunderstand the severity of the vulnerabilities and describe them as "slop") (no thank you.)

This entire thread defies logic.

No one is saying #1. No one is arguing against #2. #3 is something all companies with significant reliance on OSS projects should help do.

The only thing that defies logic is how poorly your strawman is constructed.

It appears we are not reading the same thread.

Yep, that's clearly what I was saying. I want to just keep moving the goalposts (which I didn't even know I had set or moved in the first place) again and again.

Or I just want the $3.5 trillion company to also provide the patches to OSS libraries/programs/etc that their projects with hundreds of millions or billions in funding happen to find.

Crazy, I know.

location of goalposts scales with market cap